Blade Maker Posted June 28, 2010 Share Posted June 28, 2010 I made a basic Username search box for anyone out there looking for a easy to edit script. This script is ready to be installed to your website, will need modifications to suit your needs. I will be willing to install it for you for free and or modify it. <form method="POST"> <input type="text" name="search" /> <input type="submit" name="submit" /> </form> <?php $search = $_POST['search']; $submit = $_POST['submit']; mysql_real_escape_string($search); if(isset($submit)){ if(!strlen($search)){ # Change depending on how you report user errors. die('Please enter a search term.'); exit; } else { $connect = mysql_connect('host', 'username', 'password') or die('Couldn\'t connect!'); mysql_select_db('database') or die('Couldn\'t find db'); $searchsql = mysql_query("SELECT username FROM `users` WHERE username LIKE '%$search%'"); while ($row = mysql_fetch_array($searchsql)) { ?> [url="<?php echo $row['username']; ?>.php"]<?php echo $row["username"]; ?>[/url] <?php } } } ?> I will try to add security hold on. Quote Link to comment Share on other sites More sharing options...
Jordan Palmer Posted June 28, 2010 Share Posted June 28, 2010 I would suggest securing the $_POST[''].. Quote Link to comment Share on other sites More sharing options...
LordDan Posted June 28, 2010 Share Posted June 28, 2010 Hmm, I'm going to be really picky now, but i develop with error reporting set to -1 (Better than E_ALL) and this will spit out errors.. # NO, NO, NO! $search = $_POST['search']; $submit = $_POST['submit']; if($submit){ # Use error reporting people! It'll force good habits!!! (Extra Spacing used for clarity) if( isset( $_POST['submit'] ) ){ if( !isset( $_POST['search'] ) ){ # Change depending on how you report user errors. header('location: search.php?error='. urlencode( 'Please enter a search term.' ) ); exit; } else { # Why no security? 0_o $search = mysql_real_escape_string( $_POST['search'] ); # Contunue the rest.... # PHP PHP PHP PHP PHP........ } } So, not to be picky, I know you said "basic" but all those years ago when i started learning PHP, i used tutorials posted in forums just like this and as a result i had bad habits and messy code. It took a while before some Pro told me to stop reading crap quality posts and buy a book. Basically, what I am saying is, basic example or not, use good habits for the sake of those wanting to learn ^^ Quote Link to comment Share on other sites More sharing options...
Blade Maker Posted June 28, 2010 Author Share Posted June 28, 2010 OK thanks I will try next time. Anyways how is the script now? Quote Link to comment Share on other sites More sharing options...
Joshua Posted June 29, 2010 Share Posted June 29, 2010 Highly Unsecure and will run slow, I'd suggest looking up mysql improved functions as well as reading a bit more on the security end. It's not horrid, but it's not great either :) Quote Link to comment Share on other sites More sharing options...
Blade Maker Posted June 29, 2010 Author Share Posted June 29, 2010 OK I will try to make it more secure. Quote Link to comment Share on other sites More sharing options...
Djkanna Posted June 29, 2010 Share Posted June 29, 2010 Just my two cents =) I dislike HTML stuffed in with PHP :P <form action="blah" method="post"> <label for="search">Search:</label> <input type="text" name="search" id="search" /> </p> <input type="submit" value="Search" /> </form> <?php /* PHP STUFF */ if(isset($_POST['search'])) { $mysql = new mysqli('host', 'username', 'pass', 'db') or trigger_error('Error: '.mysqli_connect_error(), E_USER_ERROR); $stmt = $mysql->prepare("SELECT `username` FROM `users` WHERE (`username` LIKE '%?%')"); $stmt->bind_param('s', strip_tags($_POST['search'])); $stmt->execute(); if($mysql->num_rows()) { $stmt->bind_result($username); while ($stmt->fetch()) { echo 'Username: '.$username; //I hate using markup within PHP tags (reason there's no </p> here). } } else { //Error no results } $stmt->close(); $mysql->close(); } I doubt the above is very functional (or practical) but I hope it gives you an idea :thumbup: Quote Link to comment Share on other sites More sharing options...
LordDan Posted June 29, 2010 Share Posted June 29, 2010 It's better but it will still error (For me with error reporting). It will work though. $search = $_POST['search']; $submit = $_POST['submit']; Everytime you enter the page you are placing posted date into a variable, but if you just entered the page and not posted yet, you'll get $search undifined index error. Place this at the top of the script, and you will see what i mean@ <?php error_reporting(-1); ?> To fix, i used if isset to only collect $search if we actually submitted.. if( isset( $_POST['submit'] ) ){ // You dont need to store this into a variable as we're only using it here // Now code in here will only be run if $_POST['submit'] is-set... // Now we can move onto getting our search term. if( !isset( $_POST['search'] || empty( $_POST['search'] ) ) ){ // No point searching without a search term die( 'Please enter a search term!'); } // If we made it this far without the die() triggering above, // we should be good to continue.. $search = mysql_real_escape_string( $_POST['search'] ); // Add any additional filtering to $search an continue MySQL here } Now nothing is undefined because we're only executing our search code if we have actually pressed the Search Button :) Good luck, hope that helps you out a little more, and remember to use the error_reporting(-1);, it'll help you improve the quality of your code greatly. :thumbup: Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted June 29, 2010 Share Posted June 29, 2010 EW DJK! burn in hell for that lol $_POST['search'] = isset($_POST['search']) && ctype_alnum($_POST['search']) ? $_POST['search'] : FALSE ; if ( empty($_POST['search']) ) { then simple replace strip_tags($_POST['search']) with $_POST['search'] Quote Link to comment Share on other sites More sharing options...
LordDan Posted June 29, 2010 Share Posted June 29, 2010 Is it just me, or is MySQLi just even more lines of code? I've never used it myself, so I did a little search, seems most developers regard MySQLi as a failure and say stick with MySQL, so what gives? ?( Quote Link to comment Share on other sites More sharing options...
Blade Maker Posted June 29, 2010 Author Share Posted June 29, 2010 Who knows.....Anyways I just want to know am I on the right track of making a username search box? I mean for being a basic one, it might not be secure but I will work on that later. Quote Link to comment Share on other sites More sharing options...
DigitalGerm Posted June 29, 2010 Share Posted June 29, 2010 The search is case sensitive! so add or change( your choice ) $search = $_POST['search']; # $search = strip_tags( $search ); # $search = $mysqli->real_escape_string( $search ); $search = strtoupper($search); $sql = "SELECT `username` FROM `users` WHERE upper(username) LIKE '%$search%'"; You are reading public information, so you don't have to be so alert. I think the strip tags and escape string will do just fine. after that you could simply check if $mysqli->num_rows > 0 start a loop with while($array = $mysqli->fetch_array(MYSQLI_ASSOC)) { // echo ""; } etc. Quote Link to comment Share on other sites More sharing options...
Blade Maker Posted June 29, 2010 Author Share Posted June 29, 2010 Thanks. That last comment digital helped. Quote Link to comment Share on other sites More sharing options...
Djkanna Posted June 30, 2010 Share Posted June 30, 2010 EW DJK! burn in hell for that lol $_POST['search'] = isset($_POST['search']) && ctype_alnum($_POST['search']) ? $_POST['search'] : FALSE ; if ( empty($_POST['search']) ) { then simple replace strip_tags($_POST['search']) with $_POST['search'] Now why would I do that? For example I wanted to search for someone with the name 'Mr.Doodles' or 'Newbs!!'. I'd want to allow charecters that aren't, [A-Za-z] Personally I'd use filter_var($var, FILTER_SANITIZE_STRING); But I couldn't be assed typing it ^.^ Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted June 30, 2010 Share Posted June 30, 2010 i just had a look at filter_var they have some nice options... But for the none PHP 5 users... my version will work fine... same with php 5 really just preference. Quote Link to comment Share on other sites More sharing options...
iSOS Posted July 15, 2010 Share Posted July 15, 2010 (Wrong post.); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.